Dołącz do nas!

Wszystkie znaki interpunkcyjne za wyjątkiem kropek, łączników, znaków podkreśleń i spacji są niedozwolone.
Adres e-mail, koniecznie prawidłowy. Będą nań przesyłane wszystkie wiadomości e-mail od systemu. Adres nie jest udostępniany publicznie i będzie wykorzystywany jedynie w wypadku prośby o przesłanie nowego hasła lub do przesyłania informacji o nowościach czy innych komunikatów.
CAPTCHA
To pytanie ma na celu ochronę przed automatycznym spamowaniem oraz ustalenie, czy odwiedzający stronę jest człowiekiem.
Image CAPTCHA
Wpisz kod widoczny powyżej.

Logowanie

Nazwa użytkownika witryny Project Envision.
Hasło powiązane z nazwą użytkownika.
Prześlij nowe hasło

Configure Cisco Logging to Rsyslog on Debian

Quite often Network Administrators are obligated to keep logs from their cisco devices, either for troubleshooting or due to be compliant with IT Security Policy. In this article I will describe fast and easy way to setup saving logs from your Cisco devices to rsyslog server on Debian Linux.

The first step is to edit rsyslog configuration file. Open /etc/rsyslogd.conf and add following line

#
# Logging for Cisco router 192.168.1.1
#
local7.*                        /var/log/cisco

local7 is the default name under which cisco devices logs their messages. /var/log/cisco specifies the file to which messages will be written. You also have to uncomment / add below lines which will enable rsyslogd to listen on UDP port 514.

# provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514

The last change you have to make to rsyslog.conf is to allow your cisco device to write to it, that is done using below entry in rsyslog.conf

$AllowedSender UDP, 127.0.0.1, 192.168.1.1

Then we create the log file by utilizing the touch command

linq:/etc# cd /var/log
linq:/var/log# touch cisco

After we made all changes we just have to restart rsyslogd service to implement them.

linq:/var/log# /etc/init.d/rsyslog restart
Stopping enhanced syslogd: rsyslogd.
Starting enhanced syslogd: rsyslogd.

To start writing messages from our router to syslog server we need to configure logging. First we configure our syslog server ip by using logging host command. We can filter the number of messages being logged by using logging trap command. All available options are summarized in the table below.

Login to the router:
z-acte#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
z-acte(config)#logging host 192.168.1.19 sequence-num-session
z-acte(config)#logging trap 7

logging trap 7 will set logging to debug level
Sometimes we may additionally need to log all nat translations, which can be enabled by using the ip nat log translations command.

z-acte(config)#ip nat log translations syslog

Table with logging levels

Level Keyword Description
0 emergencies System is unusable.
1 alerts Immediate action is needed.
2 critical Critical conditions exist.
3 errors Error conditions exist.
4 warnings Warning conditions exist.
5 notification Normal, but significant, conditions exist.
6 informational Informational messages.
7 debugging Debugging messages.

To check that everything works correctly issue below commands

z-acte#debug ip packet

In your log on Linux you should see entry similar to the below one:

Feb 24 03:40:45 192.168.1.1 187368786: [syslog@9 s_sn="186126345"]: 188251944: *Feb 24 03:34:30.023 PCTime: IP: tableid=0, s=192.168.1.1 (local), d=192.168.1.19 (Vlan1), routed via FIB

To disable packet debugging use below commad

z-acte#no debug ip packet

To check that NAT translations are being logged correctly issue ping command from any host on your network to a remote host, which should generate entry similar to below

Feb 24 03:43:16 192.168.1.1 187368860: [syslog@9 s_sn="186126419"]: 188252014: *Feb 24 03:36:59.631 PCTime: %IPNAT-6-CREATED: icmp 192.168.1.2:4 62.89.67.179:4 212.77.100.101:4 212.77.100.101:4

The last step is to save our router configuration.

z-acte#copy running-config startup-config
Destination filename [startup-config]?
Building configuration...
[OK]
Categories: